US government issues IoT cyber-security guidelines

US government issues IoT cyber-security guidelines

The US government has issued cybersecurity guidelines for the Internet of Things (IoT) in two new reports released this week.

The Obama administration’s National Institute of Standards and Technology, released a report a month ahead of schedule because of a series of large-scale DDoS attacks which have exploited vulnerabilities in IoT devices, and the document’s author, Ron Ross, said the goal would be to build public trust in IoT devices such as smart home appliances and medical apparatus.

“Really what we’re trying to do is get the same trustworthiness that you have when you cross a bridge or fly on an airplane,” he said at Splunk’s annual summit in Washington. “That trustworthiness doesn’t happen by accident. You have to engineer it into the system.”

Unlike other reports into IoT security, Ross said that this particular report provides guidance for each step of the engineering process, in a bid to get security baked in from the outset.

However, Ross acknowledged that when it came to the costs of implementing such security measures, it would be dependent on how much the developer would want to invest into those capabilities.

Meanwhile, Homeland Security has also given six strategic principles for securing IoT devices: including incorporating security at the design phase, advancing security updates, and prioritising security measures according to potential impact.

The other three principles were: building on proven security practices, promoting transparency across IoT and connecting devices carefully and deliberately.

But Clive Longbottom, analyst at Quocirca questions the approach suggested by both US government organisations. He said that the cost of incorporating security into these devices could be prohibitive for manufacturers.

“If an unconnected device costs about £20, and it costs an extra £5 to make it a connected device – it could cost another £20 to make it a secure connected device, and unless someone takes responsibility for maintaining the ‘intelligence’ of thousands or more devices they have under their control, the device will become completely insecure as black hats find ways of breaching the built-in security,” he said.

And the idea of cyber-security upgrades could add even more costs as dedicated, modular operating systems would be needed rather than simple coded firmware, he added. Even with this approach, Longbottom argues that the perennial issue with IoT – that of standardisation – would create complications.

“Would every IoT device manufacturer across the planet agree on using X509 security, and would they all choose to use DES encryption or the cheaper PGP?

“Counting on the device manufacturers is a complete non-starter,” he said.

Instead, he thinks that this additional money that would be invested in securing each separate device should be ploughed into an IoT aggregation device instead.

“Forget about IoT cyber-security at the individual device level. Instead, take a more intelligent approach to architecting an entire IoT environment and invest where the real security intelligence should be,” he suggested.